The Office of the Australian Information Commissioner (OAIC) has asked that the powers given to the minister responsible under the pending Critical Infrastructure Bill, which would allow them to step in when a cybersecurity incident has occurred, be further defined to take into account the impact on individuals’ privacy.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 introduces a government assistance regime that provides powers to protect assets during or following a significant cyber attack. This includes the power to authorise information gathering directions, action directions, and intervention requests.
The Bill proposes that where an appropriate ministerial authorisation is in force, the Department of Home Affairs secretary can compel relevant entities to produce any information that may assist with determining whether power should be exercised in relation to the incident and asset in question.
“The secretary may also direct an entity ‘to do, or refrain from doing, a specified act or thing’,” the OAIC highlighted in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review into the Bill.
“This broad power should be balanced with appropriate safeguards, oversight, and accountability to ensure it is proportionate.”
The OAIC recommended that, in deciding whether or not to give the necessary authorisation, the minister responsible should be required to consider the privacy impacts of the exercise of these powers insofar as they apply to “business critical data” or other data that may include personal information.
“In our view, this would help to build both industry and community trust and confidence in the proposed framework,” the OAIC wrote.
“This requirement to consider privacy could be included in the matters that the Minister must have regard to when determining whether a direction or request is a proportionate response to a cybersecurity incident, as under ss 35AB (8) and (11).”
The OAIC said there is precedent for this approach in the Telecommunications (Interception and Access) Act 1979.
It also recommended the committee consider an amendment to ensure disclosure of protected information is permitted for the purposes of giving effect to the exercise of the information commissioner’s privacy functions.
“The OAIC wishes to ensure that the restrictions on an entity making a record of, using or disclosing protected information under [parts of the] Act do not limit the ability of the OAIC to exercise its privacy functions, or prevent entities from disclosing information required for compliance with and the administration of the Privacy Act,” it said.
The OAIC has also asked for an amendment to the Australian Information Commissioner Act 2010 to permit information sharing between regulatory agencies. The last recommendation is that the explanatory memorandum makes reference to the commissioner’s guidance function to indicate that it is intended that the OAIC is consulted in relation to any guidance on the personal information-handling obligations that would apply to the scheme.